Sign-up

ID

VAR-202401-0297


CVE

CVE-2024-0297


TITLE

TOTOLINK  of  N200RE  in the firmware  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-001217

DESCRIPTION

A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical. This issue affects the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249863. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of N200RE The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2024-0297 // JVNDB: JVNDB-2024-001217 // VULMON: CVE-2024-0297

AFFECTED PRODUCTS

vendor:totolinkmodel:n200rescope:eqversion:9.3.5u.6139_b20201216

Trust: 1.0

vendor:totolinkmodel:n200rescope: - version: -

Trust: 0.8

vendor:totolinkmodel:n200rescope:eqversion: -

Trust: 0.8

vendor:totolinkmodel:n200rescope:eqversion:n200re firmware 9.3.5u.6139 b20201216

Trust: 0.8

sources: JVNDB: JVNDB-2024-001217 // NVD: CVE-2024-0297

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2024-0297
value: CRITICAL

Trust: 1.8

cna@vuldb.com: CVE-2024-0297
value: HIGH

Trust: 1.0

cna@vuldb.com:
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

cna@vuldb.com:
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD:
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2024-0297
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2024-001217 // NVD: CVE-2024-0297 // NVD: CVE-2024-0297

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2024-001217 // NVD: CVE-2024-0297

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2024-0297

EXTERNAL IDS
db:NVDid:CVE-2024-0297
Trust: 2.7
db:VULDBid:249863
Trust: 1.1
db:JVNDBid:JVNDB-2024-001217
Trust: 0.8
db:VULMONid:CVE-2024-0297
Trust: 0.1
sources:
            
            
            VULMON: CVE-2024-0297 // 
            
            
            
            JVNDB: JVNDB-2024-001217 // 
            
            
            
            NVD: CVE-2024-0297

REFERENCES
url:https://github.com/jylsec/vuldb/blob/main/totolink/n200re/uploadfirmwarefile/readme.md
Trust: 1.9
url:https://vuldb.com/?id.249863
Trust: 1.1
url:https://vuldb.com/?ctiid.249863
Trust: 1.1
url:https://nvd.nist.gov/vuln/detail/cve-2024-0297
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/78.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULMON: CVE-2024-0297 // 
            
            
            
            JVNDB: JVNDB-2024-001217 // 
            
            
            
            NVD: CVE-2024-0297

SOURCES
db:VULMONid:CVE-2024-0297
db:JVNDBid:JVNDB-2024-001217
db:NVDid:CVE-2024-0297

LAST UPDATE DATE
2024-05-17T23:09:38.751000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2024-0297date:2024-01-08T00:00:00
db:JVNDBid:JVNDB-2024-001217date:2024-02-01T05:39:00
db:NVDid:CVE-2024-0297date:2024-05-17T02:34:29.907

SOURCES RELEASE DATE
db:VULMONid:CVE-2024-0297date:2024-01-08T00:00:00
db:JVNDBid:JVNDB-2024-001217date:2024-02-01T00:00:00
db:NVDid:CVE-2024-0297date:2024-01-08T05:15:09.393